<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
exposed to an unintended audience.</p>
<h2>Why is this an issue?</h2>
<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.</p>
<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
<p>In that case, the wallet seed phrase, also known as a recovery phrase or mnemonic seed, is arguably the most critical element in managing
cryptocurrency.<br> Its importance cannot be overstated, as it serves as the master key to entire crypto portfolios.</p>
<h3>What is the potential impact?</h3>
<p>The consequences vary greatly by situation and by audience.<br> Below is the critical impact of an attacker accessing the wallet phrase.</p>
<h4>Cryptocurrency theft</h4>
<p>Access to your seed phrase means complete control over your wallet. An attacker can import your wallet on their own device and drain all your
assets to their own address.<br> Due to the irreversible nature of blockchain transactions, there is no way to undo the theft.</p>
<h2>How to fix it</h2>
<h3>Immediately generate a new wallet</h3>
<p>You cannot change the seed phrase for an existing wallet. A seed phrase is the master key from which all your wallet’s private keys are
mathematically derived.<br> Therefore, the correct procedure is not to "change" the phrase, but to move your funds to a new wallet with a new seed
phrase.</p>
<p>Then, transfer the assets from the old wallet to the new one.</p>
<h3>Store the phrase in a secure location</h3>
<p>Store this new backup in an extremely secure, offline location. Do not take a photo of it or store it on any internet-connected device.</p>
<p>If you need to store it digitally, consider using a hardware wallet or a dedicated secret vault.</p>
<h3>Code examples</h3>
<h4>Noncompliant code example</h4>
<pre data-diff-id="1" data-diff-type="noncompliant">
import { HDNodeWallet } from 'ethers'

const mnemonic = 'donate clutch sport betray purpose monitor lift blame slide spin crunch marriage'
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic) // Noncompliant
</pre>
<h4>Compliant solution</h4>
<pre data-diff-id="1" data-diff-type="compliant">
import { HDNodeWallet } from 'ethers'

const mnemonic = process.env.SECRET
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic)
</pre>
<h3>How does this work?</h3>
<p>While the noncompliant code example contains a hard-coded seed phrase, the compliant solution retrieves the secret’s value from its
environment.<br> This allows it to have an environment-dependent secret value and avoids storing the phrase in the source code itself.</p>
<h2>Resources</h2>
<h3>Documentation</h3>
<ul>
  <li> AWS Documentation - <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html">What is AWS Secrets Manager</a> </li>
  <li> Azure Documentation - <a href="https://learn.microsoft.com/en-us/azure/key-vault/">Azure Key Vault</a> </li>
  <li> Google Cloud - <a href="https://cloud.google.com/secret-manager/docs">Secret Manager documentation</a> </li>
  <li> HashiCorp Developer - <a href="https://developer.hashicorp.com/vault/docs">Vault Documentation</a> </li>
</ul>
<h3>Standards</h3>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 - Category A7 - Identification and
  Authentication Failures</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">Top 10 2017 - Category A2 - Broken
  Authentication</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
</ul>
